Felix Eckhofer felix at
Mon Jan 19 13:21:18 CET 2015


Am 19.01.2015 12:49, schrieb Wolfgang Breyha:
> Postfix doesn't honor 3.1.3 of the latest DANE-SMTP draft then?

It appears not to.

> "...SMTP client treatment of TLSA RRs with certificate usages 
> PKIX-TA(0)
>    or PKIX-EE(1) is undefined.  SMTP clients should generally treat 
> such
>    TLSA records as unusable."

Note that it says client treatment is undefined. It also says "should", 
not "SHOULD".
However, I don't think the connection should fail one way or the other 
(the certificate appears to be signed by a proper CA even). See 
dane-smtp 2.2.


More information about the dane-users mailing list